Feature/OIDC auth support

[TheoAtTechStack]

---

🔐 OIDC & SSO Authentication Integration

This update introduces OpenID Connect (OIDC) authentication to the Fasten backend and frontend, enabling secure login via Google and other SSO providers (e.g., Auth0, Azure AD, Okta).

---

🚀 Overview

The authentication flow has been refactored to support OIDC-based login alongside traditional username/password authentication.

The new OIDC system allows users to:

• Log in with an external identity provider (Google, Auth0, etc.)

• Automatically create or link a user record in our database

• Receive a signed JWT token for application access

• Be redirected back to the frontend after successful login

This implementation is designed to be easily extendable for additional providers through configuration only (no code changes required).

---

🧩 Architecture

1. Backend (Go + Gin)

• Introduces a generic OIDC handler that:

  • Loads provider configurations from config.yml

  • Initiates authorization redirects to each provider

  • Handles the provider callback

  • Verifies the OIDC ID token and extracts claims

  • Creates or updates a local user entry

  • Issues a JWT token for session continuity

  • Redirects the browser to the frontend with the token as a parameter

• Supports multiple OIDC providers defined in config.

Example config:

auth:
  oidc_providers:
    - name: google
      issuer: https://accounts.google.com
      client_id: "<google_client_id>"
      client_secret: "<google_client_secret>"
      redirect_url: "http://localhost:4200/api/oidc/google/callback"

Each provider configuration is auto-discovered and exposed through the /api/oidc/providers endpoint.

---

2. Database

A new auth_type column was added to the users table via migration to distinguish between:

• local (username/password users)

• oidc (users created via OIDC)

During OIDC login:

• If a user with the same email exists, it’s linked.

• If not, a new user record is created with a generated password (since OIDC users don’t require local auth).

---

3. Frontend (Angular)

• Added a SSO login UI showing available OIDC providers dynamically.

• When a provider is selected, the browser redirects to /api/oidc/<provider>.

• The backend completes the OAuth2 flow and redirects the user back to /oidc/<provider>/callback?token=<jwt>.

• The AuthCallbackComponent in Angular:

  • Parses the token

  • Calls completeOidcLogin(token)

  • Redirects the user to the main application route (e.g., /dashboard)

---

🔄 Login Flow Summary

[Frontend] User clicks “Sign in with Google”
      ↓
[Backend] Redirects to Google Auth endpoint
      ↓
[Google] User authenticates
      ↓
[Backend] Handles callback → verifies token → issues JWT → redirects with ?token=<jwt>
      ↓
[Frontend] Receives token → stores it → user logged in

---

🧪 Testing Providers

✅ Google

• Already tested with accounts.google.com

• Flow confirmed working end-to-end

✅ Auth0

• Added configuration for a second provider

• Verified login via Auth0-hosted page

• Confirms system supports enterprise SSO (Azure AD, Okta, etc.)

---

🛠️ Migrations

A new migration adds the auth_type column.

---

🧱 Future Improvements

• Add dynamic OIDC provider registration (via admin UI or database)

• Map provider roles/groups to local roles

• Implement token refresh & logout endpoints

• Support multi-tenant configurations

---

✅ Summary

Component	Change
Backend	Added modular OIDC authentication handler
Frontend	Added dynamic provider selection and callback handler
Database	Added auth_type column for user differentiation
Config	Supports multiple OIDC providers (Google, Auth0, etc.)
Testing	Verified login via both providers end-to-end

---

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​golang.org/​x/​oauth2@​v0.11.0 ⏵ v0.31.0	+1	+20
	golang/​golang.org/​x/​crypto@​v0.14.0 ⏵ v0.36.0	+1	+75
	golang/​golang.org/​x/​net@​v0.17.0 ⏵ v0.37.0	+1	+13
	golang/​github.com/​stretchr/​testify@​v1.8.4 ⏵ v1.10.0	+3
	golang/​github.com/​coreos/​go-oidc/​v3@​v3.16.0

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[TheoAtTechStack]

Google.Auth.config.DEMO.mov

[TheoAtTechStack]

This PR aims to solve the OIDC authentication flow mentioned here: #47

[evolve2k]

Bump. Ready for review :)